Wireshark · Ethereal-users: RE: [Ethereal-users] Three big problems

[Alistair.McGlinchy@xxxxxxxxxxxxxxxxxxxxx]

Justin,

> 1)  I have a 2GB capture file that I need to split.  I don't 
> particularly care if it's split into chunks of NN packets or 
> files of some size, but I certainly can't analyze the file as 
> it is.  Second best would be a suggestion for an algorithm I 
> could implement in Perl that would allow me to use editcap to 
> split the file without knowing how many packets are in the 
> file.  (e.g.  "while <some test>, editcap -r infile 
> next.outfile <next chunk>").

Here's my perl code to do the split. It's tested on a smallish trace file,
although I can't guarantee it's efficiency when re-reading a 2GB file
multiple times.

use strict;
my $big_file=$ARGV[0] || "splat.trc";
my $start_frame=1;
my $split_every=1000; # frames;
while (1)  {
	my $end_frame=$start_frame+$split_every-1;
	(my $split_name=$big_file) =~
s/\.([^\.]*)$/.$start_frame-$end_frame.$1/;
	print `editcap -r $big_file $split_name $start_frame-$end_frame`;
	last if -s  $split_name < 60; # I get a 24 byte file when out of
range.
	$start_frame+=$split_every;
}

> 2)  I need to be able to use the ring buffer feature with a 
> ten-second autostop (rather than specifying a file size).

Can't help you here, although given the volume of traffic you appear to
anticipate collecting I can't see why you wouldn't settle for a frame count
based solution. Start a new file every 1000 frames if it pleases you.

> 3)  I need to be able to use at least 1000 files in the ring 
> buffer (although about 60,000 would be much better).  This 
> one is by far the most important, since if I can get past the 
> 10 file limitation I can worry about item 1) above and make 
> do, but with only 10 files in the ring buffer I'm screwed.

Ethereal doesn't maintain any locks on the other files in the ring buffer.
Perhaps you could copy (or even move) the files to your own "ring buffer"
directory. Should be a trivial perl script to sleep every 100ms and check
for any new files and FIFO data older than 3 days. 

> The deal is that I need to run a perpetual packet capture on 
> a 75+ Mb link and I need to buffer to hold at least 3 days 
> worth of data.  I have the disk space and the server hardware 
> to do this, but I'm limited by Ethereal.

This is certainly a non-trivial task!

Perhaps you could consider other technologies such as ntop or Netflow to
collect this for you?

What are you planning on doing with the data when you collect it?  

Do you need the full frame count or just the src and dst IP addresses?

Are you just looking for a particular event? Ethereal can't do this (yet),
but you can get NG Sniffer to start storing a capture to disk when it sees a
particular trigger frame.

HTH

Alistair


-----------------------------------------------------------------------


Registered Office:
Marks & Spencer p.l.c
Michael House, Baker Street,
London, W1U 8EP
Registered No. 214436 in England and Wales.

Telephone (020) 7935 4422 
Facsimile (020) 7487 2670

www.marksandspencer.com

Please note that electronic mail may be monitored.

This e-mail is confidential. If you received it by mistake, please let us know and then delete it from your system; you should not copy, disclose, or distribute its contents to anyone nor act in reliance on this e-mail, as this is prohibited and may be unlawful.

The registered office of Marks and Spencer Financial Services PLC, Marks and Spencer Unit Trust Management Limited, Marks and Spencer Life Assurance Limited and Marks and Spencer Savings and Investments Limited is Kings Meadow, Chester, CH99 9FB.